Emergency IE patch goes live as exploits proliferate

Updated Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

The patch fixing the IE vulnerability used to penetrate the defenses of Google and other large companies came as anti-virus provider Symantec said the flaw was being exploited on "hundreds of websites." While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

"I'd consider this the first widescale attack that's been seen for this," Joshua Talbot, security intelligence manager for Symantec's Security Response group, told The Register. "The fact that the attacker has gone through the effort to set up hundreds of sites is a good indication of what other attackers are also doing right now. It's highly likely that other attackers will be retooling their attack toolkits to utilize this in driveby downloads to infect users."

Updates will be automatically installed by systems configured to receive such updates. Those who don't want to wait can manually apply the patch by visiting this link with IE. In an admission that's sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

Microsoft said earlier Thursday that it continued to see "limited and targeted attacks against Internet Explorer 6 only." The company nonetheless strongly urged users to install the fix as soon as possible. While Talbot believes the attacks have now gone mainstream, he said none of the attacks he's seen in the wild are successful against versions 7 and 8, thanks to security features Microsoft has baked in to the browser.

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

The update patches the holes by modifying the way IE handles objects in memory, validates input parameters, and filters HTML attributes. Although IE 5.01 isn't vulnerable to the exploits that penetrated Google, that version is susceptible to exploits targeting other bugs, so Thursday's patch is considered critical for all users.

This is the 12th time Microsoft has issued a patch since 2003, when it began releasing security updates on the second Tuesday of each month. The software maker released the out-of-band update after Google took the unusual step last week of publicly proclaiming its security was pierced by attackers it believes were located in China. It said at least 20 other large companies were similarly targeted, a number independent researchers later raised to 33.

Similar attacks targeting government agencies and companies in the defense and energy industries in the US and UK continue, according to this report issued Thursday by Websense.

Microsoft is generally reluctant to issue unscheduled updates out of deference to customers who want time to test how the changes will affect their systems.

Earlier this week, security firms including Websense and McAfee reported seeing copycat attacks that use the same code used against Google, but until now, those attacks appeared to be limited to a handful of websites that mostly targeted Chinese-speaking users. The new attacks are hosted on a variety of websites, including "well-known dynamic DNS hosting sites," Talbot said.

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

The attack code is different than that used to compromise Google, but appears to have been derived from exploits that went public late last week. While researchers have devised proof-of-concept code that successfully exploits Microsoft's most recent version of IE, all in-the-wild attacks that have been reported so far are successful against only IE 6.

"All these other attackers who are less sophisticated leverage that proof of concept and reuse it, so they're really not adding anything new or doing their own research and figuring out how to make it more reliable on more platforms," Talbot said. "They're just reusing the work that's already been provided."

He said security features available in more recent browsers - such as ASLR, or address space layout randomization, and DEP, or data execution prevention - have so far neutralized the public exploits.

Nonetheless, Symantec's report that hundreds of websites are now hosting the attack adds urgency to the emergency update. And the ability of white hat hackers to successfully compromise IE 7 and 8 means black hats can't be far behind. ®